Hooked on Mobile 
Security

Project Fishbowl spurs industry to
 meet military
 and intelligence 
community needs.

U.S. intelligence and defense officials are wrapping up a mobile device pilot program known as the Fishbowl project and are planning over the next year to expand on the capabilities it provides. Doing so is part of a larger strategy to wean the agency and the Defense Department off of government-designed mobile device technology, which will save time and money while providing secure, cutting-edge electronics for high-level government officials and to individual soldiers.

Fishbowl provided 100 Android devices to users across 25 organizations. The name is a reference to the fact that fishbowl users are a closed community capable of talking only to one another on the device, which provides secure voice and data services including email, calendar and some chat capability. “These are all Web-mediated services. We don’t store data directly on the device. It acts as a thin client back to the enterprise so that if the device gets lost, there’s very little data that can be obtained from the device itself,” says Troy Lange, National Security Agency (NSA) senior executive for the mobility mission. The NSA is teamed with the Defense Information Systems Agency (DISA) on the project.

The next step is for DISA to implement an operational capability that will replace the pilot. DISA also will establish a government-owned app store that will add to the catalogue of available software applications for mobile products.

NSA officials also are looking to expand on Fishbowl’s capabilities. The current device, for example, is limited to users within the continental United States. Within the coming year, however, the technology should be usable overseas as well. Agency officials also intend to expand the ability to use apps. “The whole question about applications and being able to unleash innovation from across the community is a future milestone. We have an entire road map that we’re following. Certainly within the next year, you’ll see additional things coming along,” Lange predicts.

Fishbowl marks a continued move within the NSA and the Defense Department toward commercial mobile technologies. Lange says the intent is to get out of the way of innovation and to get away from building government solutions. Instead, the agency is putting out guidance and the architecture to allow others to build their own secure architectures. While the edge device—the phone or tablet, for example—is important, the primary goal is to secure the entire enterprise, so that if one device is compromised the rest of the network is not.

Agency officials learned a lesson from the first attempt to adopt a mobile device. About 10 years ago, the NSA recognized the need for a secure smartphone capability and embarked on an effort to build what it needed using traditional development methods, which included more than 800 requirements, according to Lange. He describes the effort as the original BYOD, which he says stands for “build your own device” rather than “bring your own device.”

That original product was known as the Secure Mobile Environment Personal Electronic Device (SME-PED). “I think the name is a good indication of what it actually looked like,” Lange quips.

At the time, the SME-PED was hailed as a hand-held communication device that would revolutionize secure, portable access to classified information. It enabled users to send and receive both classified and unclassified telephone calls and to exchange classified and unclassified email. In addition, the SME-PED allowed users to Web browse on secure, secret networks.

Users, however, were not impressed. “Lo and behold, in 2007—in the same month and year that the iPhone was introduced to the marketplace, we were introducing this product,” Lange says. “It turns out that it was not a very popular device used in great numbers by our customers. It came out a little bit behind the times. It was a rather large device, and the user experience was not particularly rewarding.”

At that point, NSA officials decided they needed to approach mobility a little differently. “We essentially came up with a strategy where we could introduce consumer commercial devices and configure something layered in such a way to protect national secrets and still keep up with modern technology,” Lange says.

Moving away from government-developed technology presents challenges, of course, because companies that make mobile platforms are not especially motivated to provide NSA-level protection. The Android phones distributed through the Fishbowl project were modified for security purposes. NSA programmers came up with the Nanny app, which prevents unauthorized downloads and ensures device security. The NSA also created an Exorcist script, which eliminates commercial subroutines known as daemons that serve useful purposes but can also compromise security. “We’re certainly looking at moving to a pure commercial solution,” Lange reveals.

The move to a pure commercial solution will save time and money while keeping users more content. “We’ve found out that industry is good at building devices people want to use, and we’re not. Industry spends a lot of time getting the user experience right. They have a huge motivator in the consumer market to be successful at that,” Lange says. “It doesn’t make sense for us to come in behind them and try to make their products more secure.”

Part of the overall strategy is to guide industry to build better products straight out of the box. To do that, NSA officials have put together a capability package, a high-level, architectural document that describes what an architecture with NSA-level security might look like.

The intent is twofold: to allow military and intelligence community customers to build their own NSA-compliant architectures and to nudge the private sector—banking and finance, energy, health care and other critical infrastructure industries—to push for greater security in mobility products. If those industries like what they see in the capability package and want their data protected at the same levels, they could become allies in pushing mobile device vendors to provide greater security, Lange explains. “This is a huge departure for us to publish that in an unclassified way. The government by itself is not large enough to drive that kind of investment, but if we can get other industries interested in what we’re doing, that provides us an opportunity to give the vendors a marketplace that’s big enough to serve,” he says.

Lange cites standard 800-164, Guidelines on Hardware-Rooted Security in Mobile Devices, developed by the National Institute of Standards and Technology, as important to the agency’s mobility goals. “If we see widespread adoption of that, we will greatly advance our ability to get out of the government-specific parts of this architecture,” he declares.

The Fishbowl project is part of the Mobility Program, which was established in response to an urgent need to deliver advanced commercial mobility solutions in a secure environment. The program focuses on leading the evolution and directing the development of scalable, secure mobile communication frameworks and associated architectures founded on commercial technologies. The agency’s mobility team is charged with working across NSA directorates, with Defense Department partners and with other U.S. government agencies to synchronize mobility-related efforts.

The chosen approach has been dubbed “trusted engineering,” a defense-in-depth strategy that ensures redundancy in case any one part of the enterprise fails. For example, data might be transported over a virtual private network and encrypted with Suite B cryptography, an NSA-approved commercial algorithm. But the devil is always in the details, Lange says. Even though Suite B encryption is very strong, it can be improperly implemented, creating vulnerability.

In the past, officials would verify security by going through every single line of code, but that is a time-consuming process. “Today, we would further encrypt the data underneath the virtual private network, so if there is a vulnerability in that first encrypted tunnel, an adversary would find additional encrypted data beneath that,” Lange reveals. But the security layers have to be independent of one another, using different source code to reduce potential risk. “There is a dependency on independence between those two layers,” Lange says. “If those two encrypted layers had the same source code, they would be subject to the same vulnerabilities. But if they’re truly independent of one another, an adversary would have to find two vulnerabilities to get to the classified data.”

The Mobility Program includes other pilots as well. For example, in the spring the agency kicked off a 90-day effort to provide e-readers—tablet devices—to high-ranking Pentagon officials, replacing the large three-ring binders of information they currently lug around.

But the program’s primary goal is to keep pace with technology while protecting classified data. “In all that we’re doing, the purpose is bringing greater efficiency and capability to everybody from the White House to the soldier on the ground. Our continued habit of not being able to embrace modern technology is putting us at a disadvantage, and we really need to address that because there is so much innovation, so much capability, so much efficiency coming out of the ability to go mobile that we really have to figure out how we can enable our national security users to accomplish that as well,” Lange concludes.